Without authenticating, the splash page will also reveal the internal IP address of the device.

Finally, the /set/comment.html page contains a stored XSS (CVE-2013-78009). You get to this page by clicking “Add HACCP Note” and then insert a standard XSS string in the “Comment” field (newhaccpcomment parameter). It doesn’t seem to scrub any user input.